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[57] ABSTRACT 

A system for a network gateway that provides computer data 
security using a protocol stack proxy is disclosed. The 
system evaluates data that arrives at a computer system that 
is executing a network operating system. The system com- 
prises a protocol stack proxy, coupled between a device 
driver on the computer system that is configured to receive 
the data from a network and deliver the data according to a 
first protocol associated with a first network layer, and one 
or more components of the network operating system that 
receive packets according to the first protocol. The protocol 
stack proxy has one or more protocol proxy layers config- 
ured to (A) receive the data from the device driver; (B) pass 
the data to a second network layer that is higher than the first 
network layer; (C) evaluate the data to determine whether 
the data satisfies a predetermined criteria; and (D) if the data 
satisfies the predetermined criteria, to (Dl) pass the data to 
the first network layer, and (D2) transmit the data to the one 
or more components to the network operating system. 

50 Claims, 5 Drawing Sheets 



App Layer M2 



Application Layer Proxy 



-340 



236 




Win32 
Subsystem 



User 
Mode 
2fl2 



Kernel Mode 
204 



Protocol Proxy Stack 



322 ^ 




Proxy Layer a2Qc 



Proxy Lap 32Qti 



Proxy Layer 32Qa 



Proxy Layer 32Dd 



Proxy Layer aZQe 



Proxy Layer 3201 



Protocol Proxy Manager 
350 




100 



Protocol Stack 



Layer 30a£ 



Layer 30ab 



Layer 30fia 



314 



Executive 20S 



I/O Manager 
21B 



Driver Support Layer 3Qfi 



Driver 30^ 




Driver 3Qdb 




Driver 3Q4c 










NIC 3023 




NIC 


3n?h 




NIC m 



\ Internet r~ ■ 




\ 



200 



04/14/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct. 10, 2000 



Sheet 1 of 5 



6,131,163 



LU 






AG 


ICE 






> 




o 


LU 




)— 


Q 




CO 







A 
V 






>- ^ 




OR 


< 


EM 







CO 
CO 



O 

o 



OR 




CO 




CO 




LU 




o 




o 








DL 





OF) 





1^ 




04/14/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct. 10, 2000 



Sheet 2 of 5 



6,131,163 



Fig. 2 



200 




244 



Object 
Mgr 

208 


SRM 
21Q 


Process 
Mgr 

212 


Virtual 
Memory 
Mgr 

214 


LPC 
Facility 

21fi 


I/O 
Manager 
21& 


Device 
Driver 


Kernel 22Q 


A 



API 



Hardware Abstraction Layer 222 



API 



230 



232 



> 












Computer System inn 



04/14/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct. 10, 2000 



Sheet 3 of 5 



6,131,163 




04/14/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct. 10, 2000 



Sheet 4 of 5 



6,131 



START 




Receive Incoming 
Network Packet 



01 



402 




Check Packet Against 
Sessions Defined in 
Policy Tree 




Fig. 4A 



400 



406 



Select Proxy Stack 
for That Session 



Pass Packet 
to That Stack 







Construct New 
Proxy Stack 




f 


Pass Packet to 
That Stack 




416 



418 

u 



408 



04/14/2004, EAST Version: 1.4.1 



U.S. Patent Oct. 10,2000 sheet 5 of 5 6,131,163 



Fig. 4B 




04/14/2004, EAST Version: 1.4.1 



6,131,163 

1 2 

NETWORK GATEWAY MECHANISM SUMMARY OF THE INVENTION 

HAVING A PROTOCOL STACK PROXY i^ese needs, and other needs and objects that will become 

FIELD OF THE INVENTION apparent in this document, are fulfiUed by the present 

^ invention, which comprises, in one aspect, a system for 
The present invention relates to security in computer evaluating data that arrives at a computer system that is 
networks, and relates in particular to methods, systems and executing a network operating system. The system corn- 
products for evaluating messages passed through a network prises a protocol stack proxy coupled between a device 
operating system of a gateway in a computer network. driver on the computer system that is configured to receive 

the data from a network and deliver the data according to a 

BACKGROUND OF THE INVENTION first protocol associated with a first network layer, and one 
^ r , . , J oiore components of the network operating system that 

Ihc power of personal computers, terminals, servers and ^^^^^^ ^^^ets according to the first protocol Hie protocol 

other standalone computing devices is sigm&cantly ^^^^^ ^as one or more protocol proxy layers conne- 

increased by connecting such devices together in a local area ^^^^ ^^^^j^^ j,,, (he device driver; (B) pass 
network^ Using a network individual users of standalone 15 ,he data to a second network layer that is higher than the first 

devices distnbuted over a large geographic area can access ^^twork layer; (C) evaluate the data to determine whether 

common resources and communicate Networks themselves ,1,^ data satisfies a predetermined criteria; and (D) if the data 

can be interconnected or "internetworked locally or over a ^^tisfies the predetermined criteria, to (Dl) pis the data to 

large area. Such networks also can be connected to a vast. ^^^^ ^^^^^^^ j _ (p2) transmit the data to the one 
global network, operating according to standard protocols, 20 „^ ^^^^ components to the network operating system, 
known as the Internet. Usme the Internet and certain wide , , , . . , Z . . 

area network technologies, local users and devices can In another aspect, the mvenlion is a system for evaluating 

connect to, "log on" to, request and use distant devices and ' ^^^^^ ^ f ^^^^ ^P^^^^^S system. Hie system 

computing resources. comprises a protocol layer proxy in a kernel memory of the 
^ . , , , rr , . . Tc network operating system, and a sequence of instructions 
-niis technology also offers users the power to be mten- 25 ^^^^^^ ^^^^^ cx)nfigured to cause a processor 

tionally or negligently destructive or disruptive to distant ynjer control of the network operating system to execute 

systems in many ways. For example, using a technique gt^ps. The steps involve evaluating the data packet in the 

known as "IP spoofing," a user can change the Internet protocol layer proxy to determine whether the data packet 

Protocol (IP) address in a message sent firom the user's satisfies a predetermined condition; and passing the data 

computer so that messages or transaction requests sent to a packet from the protocol layer proxy to the network oper- 

remote network appear to be coming from somewhere else. ^ting system only if the data packet satisfies the predeter- 

1 nus, there is a need for methods, systems and products that mined condition 

can detect and reject such false requests. k c ^ r.u* ^ n - .t. 

■* ^ One feature or this aspect is a security pohcy defining the 

As another example, a malicious computer user may condition of the data packet to be evaluated and coupled to 

attempt a "Pmg of Death" attack on another computer the protocol layer proxy. Another feature involves an appli- 

system. In this attack, the mahcious user repeatedly sends a nation layer proxy in an application memory of the network 

"pmg" command or its equivalent to the remote system, or operating system; a second security policy defining a second 

configures a computer program to automatically send the condition of an application protocol of the data packet to be 

"pmg" command to the remote system repeatedly and con- evaluated; and instructions for passing the data packet to the 

tinuously. The "pmg^^ command is normally used to poll a network operating system only if the data packet complies 

remote system to determme whether it is active. If the ^ith the second security poUcy. A related feature is a 

remote system always attempts to respond to the "ping" security policy decision tree in the kernel memory structured 

command, durmg a "Ping of Death" attack the system will ^s a binary tree and comprising as nodes thereof the security 

quickly become overwhelmed so that it is spending all its policy and at least a second security policy. 

computing time responding to queries that form a part of the v^, ^u^^^^tAe * • #i * 

..iT^.L - ir 1 let another related feature is at least one existme session 

attack. Inus, there is a need for processes, systems and m^^. k^^ ♦ ^ • *u i i j u • *u 

J , ' . , . . . . L L . identifier stored in the kernel memory; and wherem the 

products that ca,, enable a system to test whether requests -^^^^^^^ processor to execute the step of 

are accurate, valid, and are commg from an authorized p^^^^g ^^^^ ^^^^ p3^^g( ^^^^ ^^^^^^ j^^^^ p^^^^ ^ ^^ 

^y^^^- 50 data packet matches an existing session identifier. Still 
Many other types of unauthorized requests and malicious another feature is that the system further comprises a net- 
attacks are known. There is a need to protect networked work adapter card coupled to the processor; and a security 
computer systems, servers and operating systems from mali- policy decision tree in the kernel memory organized as a 
cious or merely unauthorized uses, requests, commands and binary tree and comprising the security pohcy and a second 
data transmissions. ^5 security policy associated with the network adapter card. 

These and other undesired uses of computers are ideally Another feature of this aspect is that the security policy 

trapped and thwarted as early as possible, before they can decision tree comprises a session identifier associated with 

affect the entire system. It is desirable to detect unauthorized a network adapter card identifier and with an allowed 

commands, uses or requests arriving in the form of network protocol for the session identifier and the network adapter 
data as soon as the data arrives at or enters the computer go card. The sequence of instructions comprises instructions 

system from a network connection. Thus, there is a need to configured to cause the processor to execute the step of 

perform security checks and evaluations at a low level of a passing the data packet to the protocol layer proxy only if the 

computer system, for example, in the operating system. data packet matches the session identifier. Still another 

There is also a need to perform data security checks at a feature is that the sequence of instructions further comprises 
low level of the operating system, for example, as a part of 65 instructions configured to cause the processor to execute the 

processes that initially receive data from the computer step of passing the data packet to the protocol layer proxy 

hardware that interfaces the system to a network. only if the data packet matches the allowed protocol. 
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Another feature involves a second protocol layer proxy ing description, for the purposes of explanation, nunaerous 

associated with the session identifier; and instructions con- specific details are set forth in order to provide a thorough 

figured to cause the processor to execute the step of passing understanding of the present invention. It wiU be apparent, 

the data packet to the sea)nd protocol layer proxy for however, to one skilled in the art that the present invention 

evaluation therein. Another feature IS a state variabk 5 „iay be practiced without these specific details. In other 

in the protocol layer proxy descnbing a current state of a . , 1, , . . j j • 

current network session instances, well-known structures and devices are shown m 

According to another feature, the protocol layer proxy is ^'^^^^^ ^'^^'^ ^^"^ ^^^^^ unnecessarily obscur- 

coupled to a protocol stack of the network operating system P^^^*^"^ invention, 
and wherein one of the security policies defines an accept- 

able criteria for data packets directed to the protocol slack. HARDWARE OVERVIEW 
Id another feature, the system further comprises a protocol 

stack in the kernel memory coupled to the protocol layer Referring to FIG. 1, it is a block diagram of a computer 

proxy; and instructions configured to cause the processor to system 100 upon which an embodiment of the present 

execute the step of communicating the data packet to the invention can be implemented. Computer system 100 

protocol stack after evaluation of the data packet, -^^^^^^^ ^ ^us 101 or other communication mechanism for 

In another feature, the system has mstructions configured communicating information, and a processor 102 coupled 

to cause the processor to execute the step of identifying the ^.^^ processing information. Computer system 

protocol layer proxy as a device driver to the network c .x. • ^ .J, T; ,r 

operating system. In still another feature, the system has ^'}^^' comprises a random access memory (RAM) or 

instructions configured to cause the processor to execute the 20 other dynamic storage device 104 (referred to as main 

step of instructing the network operating system that only memory), coupled to bus 101 for storing information and 

the protocol layer proxy is a network device. instructions to be executed by processor 102. Main memory 

In yet another feature, the sequence of instructions fiirther 104 also may be used for storing temporary variables or 

comprises instructions configured to cause the processor to other intermediate information during execution of instruc- 

execute the step of instructing a device driver coupled to the 25 tions by processor 102. Computer system 100 also com- 

network operating system that the protocol layer proxy is a prises a read only memory (ROM) and/or other static storage 

transport layer for the device driver. According to another device 106 coupled to bus 101 for storing static information 

feature, the protocol stack further comprises a protocol stack . *• c iait^** ^ • -tM 

' ^ J *^ , r , , , and mstructions for processor 102. Data storage device 107 

layer correspondmg to a data protocol evaluated by the 1 j * u im c * - • c *- j • * 

\ ^ j*uj; !*• .A ^ coupled to bus 101 for storing information and mstruc- 

protocol layer proxy, and the data packet is communicated 30 ^^^^^ 

to the protocol stack layer after evaluation of the data packet 

against the data protocol in the protocol layer proxy. A data storage device 107 such as a magnetic disk or 

In another feature, the protocol layer proxy executes in a optical disk and its conesponding disk drive can be coupled 

kernel mode of an Executive portion of a windowed oper- to computer system 100, Computer system 100 can also be 

ating system. In other features, the security policy defines 35 coupled via bus 101 to a display device 121, such as a 

allowed routing of the data packet or defines allowed data of cathode ray tube (CRT), for displaying information to a 

the data packet. computer user. Computer system 100 further includes a 

According to still other features, the protocol layer proxy keyboard 122 and a cursor control 123, such as a mouse, 
is configured to evaluate an IP protocol element of the data 

packet or a TCP protocol element of the data packet. In yet 40 present invention is related to the use of computer 

another feature, there is a second protocol layer proxy for system 100 to evaluate information in a network operating 

evaluating a second protocol different from a first protocol system. According to one embodiment, evaluation of infor- 

evaluated by the protocol layer proxy, and the protocol layer mation in a network operating system is performed by 

proxy and the second protocol layer proxy are contained in computer system 100 in response to processor 102 executing 

a protocol proxy stack coupled to the network operating 4S sequences of instructions contained in memory 104. Such 

system. instructions may be read into memory 104 from another 

computer-readable medium, such as data storage device 107. 
Execution of the sequences of instructions contained in 



BRIEF DESCRIPTION OF THE DRAWINGS 



The present invention is illustrated by way of example, memory 104 causes processor 102 to perform the process 
and not by way of limitation, in the figures of the accom- 50 steps that will be described hereafter. In alternative 

panying drawings and in which like reference numerals refer embodiments, hard -wired circuitry may be used in place of 

to similar elements and in which: or in combination with software instructions to implement 

FIG. 1 is a block diagram of a computer system that can the present invention. Thus, the present invention is not 

be used to operate the present invention; limited to any specific combination of hardware circuitry 

FIG. 2 is a block diagram showing a view of the archi- 55 and software, 
tecture of the Windows NT operating system; 

FIG. 3 is a block diagram of an embodiment of an NETWORKED OPERATING SYSTEMS 
apparatus for evaluating data in a networked computer 

system; and The present invention provides ways to evaluate infor- 

FIG.4Aand FIG. 4B are flow diagramsof an embodiment mation in a network operating system. Modem network 

of a process for evaluating data in a networked computer operating systems are often discussed and compared with 

system. reference to an abstract model of operating system compo- 

^T.^ „ ^^r. ™^ . ^ ™ ns^ts called the OS I reference model, developed in 1978 by 

^^p'^Pn^JT^nnlp^^ International Standards Organization (or OSI). In the 

PREFERRED EMBODIMENT qSI reference model, an operating system has seven layers. 

A method and apparatus for evaluating information in a as shown in Table 1. By convention, the Physical layer is 

network server operating system is described. In the follow- identified as the lowest layer and is labeled Layer 1. 
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TABLE 1 



0S[ Reference Model 



Layer Name 


Layer Number 


AppticatioD 


7 


Presentation 


6 


Session 


5 


Tiransport 


4 


Network 


3 


Data Link 


2 


Physical 


1 



Generally, each of the components of a network operating 
system can be compared or "mapped" to one of the layers in 15 
the OSI reference model. Each of the layers in the OSI 
reference model, except the physical layer, generally is 
associated with a definition of the format of data commu- 
nicated in that layer, called the "protocol" for the layer. Table 
2 lists OSI reference model layers 2 through 7 and exem- 20 
plary protocols for each layer. 



TABLE 2 



Layer Name 



Protocols for OSI Reference Model Layers 
Layer Number Exemplary Protocol(s) 



Application 


7 


Server Message Block (SMB); 






NetWare Control Protocol 






(NCP) 


Presentation 


6 


Simplified Network 






Management Protocol (SNMP) 


Session 


5 


NetBIOS 


Transport 


4 


Transmission Control Protocol 






(TCP); Sequenced Exchange 






Protocol (SPX) 


Network 


3 


Internet Protocol (IP); Internet 






Packet Exchange (IPX) 


Data Link 


2 


Ethernet frame. Token Ring 






frame 


Physical 


1 


(not applicable) 



25 



30 



35 



One modem network operating system with which the ^ 
invention can be used is Microsoft® Windows NT® Release 
4; however, the invention can be used with any network 
operating system that includes a kernel or its equivalent 
through which network data flows before being dehvered to 
other operating system layers. The architecture of the Win- 45 
dows NT operating system is shown in FIG. 2 and generally 
identified by reference numeral 200. Windows NT (also 
referred to herein as "NT") includes numerous software 
modules or "components." Components can run in a User 
Mode 202 or a Kernel Mode 204. When a component runs 50 
in the Kernel Mode, it can access all machine instructions 
for the processor 102 and generally can use all resources of 
the computer system 100. In NT, such components as the 
Executive Services (or "executive") 206, the Kernel 220, 
and the Hardware Abstraction Layer ("HAL") 222 run in 55 
Kernel Mode 204. 

A Win32 subsystem 236 and other environmental sub- 
systems such as a D0SAVinl6 subsystem 238, OS/2 sub- 
system 240 and POSIX subsystem 242 run in User Mode 
202. A security system 234 runs in User Mode 202 and 60 
provides user authentication and network authorization 
functions. The environmental subsystems 234, 236, 238, 
240, 242 are User Mode software servers that create and 
support applications written for another operating system 
environment, such as DOC, OS/2, and POSIX. 55 

Details of the NT operating system and its components are 
extensively documented in numerous publications, includ- 



ing K. Siyan, "Windows NT Server 4 Professional Refer- 
ence" (Indianapolis: New Riders Publishing, 1996), and are 
not set forth here so as not to obscure the invention. 

The HAL 222 interconnects the Kernel 220 to the hard- 
ware of computer system 100. The HAL 222 provides an 
Application Programming Interface (API) (such as API 244) 
for each principal hardware component of computer system 
100 so that the Kernel can be written to communicate with 
the API rather than the actual machine hardware. In this way, 
the Kernel and other layers above it are generally hardware - 
independent. Generally, the Kernel uses the HAL to access 
computer system 100. A portion of the Kernel, and the I/O 
Manager 218, accesses hardware of the computer system 
100 directly without using the HAL. 

The Kernel 220 provides basic operating system functions 
used by other executive components, such as thread 
scheduling, hardware exception handling, and muhiproces- 
sor synchronization. The Kernel 220 communicates with a 
processor in computer system 100 through the API 244 to 
dispatch threads on the next available processor. 

The executive 206 has Kernel Mode components that 
implement processes such as managing software objects 
(through Object Manager 208), security (using Security 
Reference Monitor 210), process management (through Pro- 
cess Manager 212), memory management (using Virtual 
Memory Manager 214), local procedure calls (through Local 
Procedure Call Facility 216), and input/output management 
(using I/O Manager 218). The Security Reference Monitor 
(SRM) 210 enforces user security and application security. 
Requests by an application or another executive component 
to access or create an object pass through the SRM. The 
SRM compares an Access Control Entry (ACE) in an Access 
Control List (ACL) of the object and tests whether the ACE 
matches a Security ID of a user or group. If there is no 
match, access to the object is denied and an exception is 
raised. Thus, the SRM handles security at the application 
object level rather than lower levels. 

TTie I/O Manager 218 manages and supervises aU input/ 
output functions of the NT operating system. The I/O 
Manager 218 communicates with a device driver 230 
through a device API 232 to hardware devices in the 
computer system 100. There is one device driver 230 for 
each class of hardware device. For example, to communicate 
with disk storage devices, the I/O Manager 218 uses a file 
system driver. To communicate with network interface cards 
(NlCs), the I/O manager 218 uses an NIC driver. 

SECURING THE SYSTEM 

FIG. 3 is a simplified block diagram of the NT operating 
system shown as part of a computer system 100 adapted with 
features of the present invention. The system is adapted to 
receive and transmit messages or other communications to a 
local area network 310 that is coupled to a global computer 
network 312 such as the Internet. The network is coupled to 
the computer system 100 through one or more Network 
Interface Cards (NICs) 302a, 302fc, 302c. Each of the NICs 
302fl, 3026, 302c is coupled to the bus 101 of the computer 
system. Data encapsulated in packets is transferred between 
the network 310 and the processor 102 through the computer 
bus 101 and a NIC 302fl. To encode signals suitably for 
transmission, the NIC 302a provides a transmitter/receiver 
function. Each type of NIC 302a, 3026, 302c has a corre- 
sponding driver program 304a, 304^?, 304c. The driver 
programs 304a, 304/?, 304c each are coupled to a driver 
support layer 306, which is a software element responsible 
for receiving data from a driver program, determining what 
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protocol the data represents, and passing the data to a they become available at the layer understood by such 

protocol stack 314. processes, and carry out substantive processing on the data. 

The protocol stack 314 comprises a plurality of protocol This process is known as passing a packet "up the stack." 

layers ^OSa, 3086, 308c. Each of the protocol layers com- To communicate a message from the processor 102 to the 

prises a software element or routine that can receive data 5 network 310 or Internet 312, the foregoing process is 

organized according to a particular protocol (such as the followed in reverse. This is known as passing a packet 

protocols shown in Table 2), interpret the data in a network ' passing packets down the stack, a 

data packet, convert it to another protocol, and pass it on to command or character generated by an apphcation program 

a superior or subordinate protocol. For example, in one ^ f ^f^/ ' P^^P^^^y ^T-i'! a 5'"'^ 

embodiment, a protocol stack 314 comprises one layer 308., lo ^nl^^^^"' 5^^^^^^^ T 310 accordmg to 

. .CI -i.u 1. 1 ct. rxof one or more Standard protocols. The Stack allows use of 

SLTncrmodd"^ " "'"^ combinations of protocols. 

In one embodiment, the system further comprises a pro- 

In the NT system, the driver support layer 306 corre- tocol proxy manager 350 coupled by a communication path 

sponds to the data link layer (second layer) of the OSI 356 to the driver support layer 306. A protocol proxy stack 

reference model. The NT system can support several differ- " 322, comprising a plurality of protocol proxy layers 320a, 

ent kinds of driver support layer specifications, such as the 3206, 320c, is coupled to the protocol proxy manager 350 

Network Driver Interface Specification (NDIS) (developed along a bi-directional communication path. The protocol 

by Microsoft Corporation and 3Com Corporation) and the proxy manager 350 and the protocol proxy stack 322 are 

Open Data link Interface (ODI) (developed by Apple stored in a kernel memory area of main memory 104 and 

Computer, Inc. and Novell Corporation), Also, ODI can be execute in Kernel Mode 204 of the operating system 200. 

supported on top of NDIS. The protocol proxy manager can communicate information 

The drivers 304a, 3046, 304c can be written to commu- up the protocol proxy stack 322 along communication path 

nicate with the driver support layer 306 rather than the 352 and can receive packets coming down the protocol 

protocol stack 314. In this way, those writing the drivers do proxy stack along communication path 354. 

not need to know the stmcture of the protocol stack 314, and An application layer proxy 340 located in an application 

each of the NICs 302fl, 3026, 302c can support multiple layer 342 is coupled to the protocol proxy manager 350. 

protocols concurrently. A security or session policy tree 330 in the kernel mode 

Multiple protocol stacks can be defined. The driver sup- area of main memory 104 is coupled to the protocol proxy 

port layer 306 stores infonmation describing each protocol stack 322, to the application layer proxy 340, and to the 

stack 314 in the system. The driver support layer also stores protocol proxy manager 350. 

information describing each driver 304a, 3046, 304c and the Each of the protocol proxy layers 320a, 3206, 320c is a 

protocols it supports. When protocol stacks or drivers load, software element that is configured to operate in the same 

they identify themselves to the driver support layer. The manner as a corresponding protocol layer 308a, 3086, 308c 

driver support layer also stores meta-data describing data 35 of protocol stack 314. Each of the protocol proxy layers 

packets in event control blocks (ECBs) in the memory 104. 320a, 3206, 320c further comprises instructions that cause 

ECBs contain packet identifiers used by the driver support the processor 102 to carry out security check steps on each 

layer to route packets. data packet that the protocol proxy layer receives. For 

Using this structure, when a data packet arrives from the example, in one embodiment, a protocol proxy layer 320a is 

network 310 at an NIC 302a, the NIC 302a encodes the data 40 responsible for the network layer and the currently defined 

packet as a bit pattern and stores it in a small, on-board network layer protocol is the Internet Protocol (IP). In this 

memory area or data buffer. Adapter logic communicates embodiment, the protocol proxy layer 320a may execute 

data from the data buffers to the computer bus 101 by steps to check whether an IP address contained in a packet 

translating the data using a media access method appropriate received at the protocol proxy layer 320a is a valid IP 

for the type of network connection in use (e.g., Ethernet, 45 address and to drop or discard the packet if the address is 

token ring, etc.). The NIC generates an interrupt request to invalid. This process is referred to as evaluation of a packet 

inform the processor 102 that a data packet has arrived. The or conducting security checks on a packet. Each proxy layer 

interrupt request is a signal on an interrupt line coupled from performs security checks for all commands defined in the 

the NIC to an interrupt controller to the processor 102. In protocol associated with a proxy layer. The session policy 

computers based on Intel processors, the interrupt line is an 50 tree has a node for each protocol that is valid for a particular 

index to an interrupt vector table stored in local volatile session. Packets contain a session identifier. Security checks 

memory. The interrupt vector table stores a pointer to an are performed only for protocols defined as part of a current 

interrupt service routine or to one of the driver programs session by the policy tree. 

304a, 3046, 304c used to handle the packet. If the packet includes a request for application-layer 

A driver such as driver program 304a then retrieves the 55 services, such as HTTP object caching, the packet is passed 

data packet from the NIC buffer, writes a copy to main to the application layer proxy 340. The application layer 

memory 104, formats the data in a way expected by driver proxy 340 is stored in and executes in the application layer 

support layer 306, and passes the packet to the driver support 342, i.e., outside the kernel mode and kernel memory space, 

layer 306. The formatting performed by the driyer program The application layer proxy carries out the requested ser- 

304a includes identifying the transport layer to be used by 60 vices on the data packet. By separating application layer 

the driver support layer 306. The driver support layer 306 evaluation, application layer services are carried out only 

determines which protocol is used for the data and passes the when necessary, without slowing the security inspections by 

packet to a protocol layer 308a, 3086, 308c of the protocol sending every data packet to the application layer. If the 

stack 314. Each layer of the protocol stack reformats data in extra services are not needed, the packet never enters the 

the packet so it can be used and understood by a higher layer. 65 application layer. 

Higher-level processes such as the I/O Manager 218 and the According to one embodiment, protocol proxy manager 

Executive 206 remove packets from the protocol stack as 350 poses as layer 308a (i.e. the transport layer) to all device 
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drivers 304fl, 304b and 304c, while simultaneously posing 
as a device driver to layer 308^. Specifically, when the 
protocol proxy manager 350 is installed, as part of an 
installation process the device drivers 304fl, 304^, 304c are 
instructed that the protocol proxy manager 350 is the trans- 5 
port layer. In this way, when a packet is passed from a driver 
304^2 to the driver support layer 306, the driver 304a will 
always request the driver support layer 306 to use the 
protocol proxy manager 350 as the transport layer. This 
ensures that all incoming data packets will be sent to the lo 
protocol proxy manager 350 rather than to the protocol stack 
314. 

Further, as part of the installation process, the NT system 
200 is instructed that all devices attached to the system can 
only be accessed through the protocol proxy manager 350 15 
posing as a device driver. In this way, all output messages 
from the system will be directed at the protocol proxy 
manager 350 rather than at an actual device driver 304a. 
Moreover, the protocol proxy manager 350 appears to the 
NT system as a device driver and therefore is simple to 20 
implement in the NT as it precludes the need to reconfigure 
proprietary network interface card driver programs. 

The security checks and evaluation processes for each 
protocol layer are defined in the policy tree 330. The policy 
tree 330 is stored in the main memory 104 and is structured 
as a binary tree. In the binary tree, superior leaf nodes each 
represent a port number of a NIC and subordinate leaf nodes 
each represent a protocol recognized for that port number, or 
a test or condition to be applied to a packet originating from 
the NIC at that port number and for that protocol. A policy "'^ 
tree 330 is dynamically allocated in memory or created by 
the protocol proxy manager 350 whenever a new network 
session begins. The policy trees 330 define tests or condi- 
tions only for specific protocols that form a part of the 
session for which they are created. In this way, a system 
administrator can establish a secure system by excluding 
certain protocols from a given session. 

Ihe policy tree 330 is a representation of an abstract 
security policy. A security policy can instruct the system to 
accept or reject a data packet based upon criteria relating to 
the data packet. For example, the criteria include the current 
time of day, the current day of the week, the destination of 
the data packet such as a particular host or server, the 
identity of the network service represented by the packet 
(such as World Wide Web, FTP, etc.), and other criteria. An 
example of an abstract security policy that can be repre- 
sented in the policy tree 330 is: 



IF Time Of Day Is (0900 to 1700) 
THEN If Service Is (FTP) 

THEN Reject 

OTHERWISE Accept 
OTHERWISE If Service Is (HTTP) 

THEN Accept 



35 



55 



The policy tree 330 can be established and used as 
described in co-pending U.S. Provisional Patent Application 
Ser. No. 60/074,945, filed on Feb. 17, 1998, and non- 
provisional application Ser. No. 09/210,143, filed Dec. 11, 
1998, entitled "Graphical Network Security Policy 
Management," the entire disclosure of which is hereby 
incorporated by reference as if fully set forth herein. 

llie protocol proxy manager 350 stores state information 65 
about each active session in the kernel memory in a set of 
state variables. Values in the state variables are passed to 



each of the protocol proxy layers as a packet moves up and 
down the layers. 

More than one protocol proxy stack 322 may be stored in 
the kernel memory area. In one embodiment, protocol proxy 
stacks 322 are dynamically allocated and constructed when- 
ever a new session begins. Each session has a separate 
protocol proxy stack. All the protocol proxy stacks are 
managed by the protocol proxy manager 350. When the 
session ends, the proxy stack for that session is deallocated 
and its memory space is reclaimed. 

The protocol stack 314 of the NT system 200 coexists 
with the proxy protocol stacks allocated by protocol proxy 
manager 350 without any changes and can have a separate 
security policy assigned to it. 

FIG. 4A is a flow diagram of a method (generally desig- 
nated 400) of evaluating data in a computer. The start step 
401 includes the substep of establishing, separately or 
offline, a session policy tree 330 that defines security poli- 
cies. Based on a network security policy applied to each 
network interface card, the session policy tree is constructed 
and stored in memory to control the creation of sessions for 
that card. A system administrator defines the security policy. 
The start step 401 further includes the substep of establish- 
ing a protocol proxy slack comprising at least one protocol 
proxy layer in a kernel mode memory area of a computer 
system. The start step 401 may also include the substep of 
establishing a protocol proxy manager in communication 
with the protocol proxy stack and the computer system, and 
wherein the protocol proxy manager communicates with the 
security policy tree and with network interface cards of the 
computer system. 

The process begins in step 402 wherein a computer 
system receives a data packet arriving from a computer 
network. As shown in step 404, each time a network packet 
arrives, the process tests whether the packet belongs to an 
existing session. This is done by calculating a session 
identifier from information contained within the packet and 
then comparing this identifier with a list of current sessions 
stored in a main memory of the computer system. If the 
packet belongs to a current session, then in step 406 the 
process selects the corresponding proxy stack from among 
the proxy stacks currently stored in the main memory. If 
proxy stacks have been created earlier for prior data packets, 
then the full set of such available proxy stacks will reside in 
a kernel memory area, ready to proxy any protocol layer and 
perform full security checks. In step 408 the process passes 
the packet to the protocol proxy stack for that session. 
Processing then continues with step 420, discussed below. 

If the test of step 404 is negative, then the packet does not 
belong to an existing session. Therefore, in step 410 the 
packet is checked against the session policy tree definition to 
determine whether the session identified in the packet is a 
valid session for the network interface card from which the 
packet has been received. If the session policy tree contains 
definitions for the session and network interface card rep- 
resented by the packet, as tested in step 412, then in step 416 
a new proxy stack is dynamically constructed in memory. 
This protocol proxy stack is established in the kernel 
memory area. In step 418 the packet is passed to that proxy 
stack for evaluation. Processing then continues with step 
420, discussed below. 

If the test of step 412 is negative, then the session is not 
defined in the tree. Thus, the session identified in the packet 
is invaUd or prohibited, and in step 414 the packet is dropped 
and the process is done. In this way, prohibited or invalid 
data packets are blocked by the system at an early stage. 
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For packets of a valid session, the dynamically con- against protocols defined in the session policy tree for the 

slnicted proxy stacks evaluate the network packet for only session to which the packet belongs. In addition, the packet 

those protocols that are defined as valid by the session policy is formatted into according to a protocol understood by the 

tree. As shown in step 420, from the session policy tree, the next lower layer. Thus, the processing steps described above 

process retrieves the next protocol defined for the session of 5 for proxy layers 320^, 3206, and 320c are essentially 

the current packet. If the protocol is associated with the next reversed as the packet passes down the stack through the 

higher OS! layer, then the packet is passed to the next layers 320rf 320e 320/! 

highest proxy layer and processing is carried out in that * i- . ' , \ , 

proxy layer. Through these steps, the packet moves up the P^^^^^ P^^^ ^^e stack, in step 

protocol proxy stack. In steps 422 and 424 the process tests 9^ P^°^^^ "^^^^^^^ the network packet is destmed 

whether the format and contents of the packet are vaUd or computer. If so, then in step 442 the process 

aUowed for the current protocol. If either one is invalid, then P^f ^ P^^^^^ °° other system processes for delivery 

the packet is dropped and processing is complete. Steps 422 ^^.^^ computer In step 438 the system tests whether the 

and 424 can include the substeps of analyzing all commands destination of the network packet is the native network 

for each protocol, analyzing whether the routing specified in , , ^}^^\ and if so, it is passed on for delivery, as shown by step 

the packet is allowed, and other evaluations and tests. The ^^V' ^^^y ^^^^^^ P^^^^^^s are passed on to the 

specific evaluations and tests that are carried out vary native network protocol stacks, and each packet is examined 

according to the protocol. Protocols that can be evaluated at each layer ofthe operating system as the packet travels up 

include TCP, IP, UDP, and ICMP. For example, for the IP ^t^^^' 

protocol, steps 422 and 424 may include the substeps of system and processes disclosed herein can be imple- 

carrying out network address translation and determining mented as one or more computer programs and can form a 

whether the translated address is valid. For the TCP partof a "firewall" in a networked computer system. Indeed, 

protocol, steps 422 and 424 may include the steps of the stack proxy architecture of the system enables it to be 

verifying whether a checksum in the packet is valid for the implemented in the same server computer that is used in a 

contents of the packet. networked computer system to run other applications. For 

If both the format and contents of the packet are valid, example, the system can be installed on a server computer 

then in step 426 the process examines the packet to deter- that is running HTTP server software. The system and 

mine whether its format or contents need to be modified to processes disclosed herein can be implemented as a 

comply with the current protocol. If so, then in step 428 the sequence of machine instructions recorded on a computer 

packet is modified to adjust its format and data to conform 3^ readable medium such that the instructions, when executed 

to the protocol. * computer, cause the computer to establish the structures 

In step 430 the process tests whether another protocol is f ^ carry out the processes described herein. Preferably, 

defined for the current session. If so, then control returns to ^y^^^"^ ^ P^^ ^ "^^^^^^ g^^^^^y- 

step 420 to repeat the foregoing process for the next protocol 1° one embodiment, in a networked computer system, a 

defined for the current session. In this way, a data packet is 35 plurality of systems as described herein are deployed so that 

first tested at the lowest protocol layer defined for the each server in the networked computer system has its own 

session, and the data packet is allowed to proceed upward in protocol proxy manager and protocol proxy stack. The 

the protocol proxy stack only after successfully passing session pohcy tree is stored in a centralized, high-speed 

lower level tests. Thus, each network packet and the data it database accessible over the network to each of the protocol 

carries must be valid for each protocol layer. This enables 40 V^^V managers and protocol proxy stacks. A monitor pro- 

the system to trap faults at the earliest possible time before gram runs on one of the servers and polls each of the 

invalid or unauthorized packets rise to higher levels of the protocol proxy managers in the networked system to deter- 

stack and before they are released to other processes or parts and report on the status of each of the managers. An 

of the system. administration program runs on one of the servers and 

If the process determines in step 430 that no other 45 Provides a graphical user interface whereby the session 

protocols are defined for the current session, then in step 432 P^^^^y ^^^^ created, configured, reviewed, modified, 

the process examines the packet to determine whether it and stored in the database. 

requires application-layer services. If so, then in step 434 the Thus, a method, apparatus, and product for evaluating 

process passes the packet to an application layer protocol data in a computer has been described. A protocol proxy 

proxy running in application mode in an application memory 50 stack is established in the kernel memory area. The full set 

area of the system, in which application layer services and of available proxies reside in the kernel, ready to proxy any 

further packet evaluation are carried out. Examples of appli- protocol layer and perform full security checks. Based on the 

cation level tests include determining whether a request in network security policy applied to each network adapter 

the Hypertext Transfer Protocol (HTTP) is valid and card, a session policy tree is constructed and stored in 

whether such a request contains a valid Uniform Resource 55 memory to control the creation of sessions for that card. 

Locator (URL). In this way, for application- layer services. Each time a network packet arrives, it is examined to 

the application layer services are carried out only if neces- determine whether it belongs to an existing session. If so, the 

sary without slowing the security inspections. packet is passed to the protocol proxy stack for that session. 

After application-layer services are complete, or if none Otherwise, the packet is checked against the session poHcy 

are needed, in step 444 the process passes the packet back 60 l**ee definition. If the session policy tree contains definitions 

down the stack by passing the packet sequentially back for the session represented by the packet, a new proxy stack 

down proxy layers 320rf, 320e, 320/. More or less than three is dynamically constructed and the packet is passed to that 

such downward directed proxy layers 320^, 320e, 320/ may stack for evaluation. If the session is not defined in the tree, 

be provided as long as there is one proxy layer for each . the packet is dropped. 

proxy layer 320a, 320^?, 320c through which packets are 65 Dynamically constructed stacks evaluate the network 

passed up the stack. At each of these downward directed packet for only those protocols that are defined by the 

proxy layers, the packet is re-examined and evaluated session. All commands for each protocol are analyzed. The 
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packet can be modified by any layer in the stack or dropped 
if the security checks fail. All packet modifications are 
performed at the appropriate protocol proxy layer. If the 
network packet is destined for another computer or the 
native network stack, it is passed on for delivery. For 5 
' application-layer services, the protocol proxy manager for- 
wards the packet to an application layer proxy that provides 
extra services without slowing the security inspections. 

Because packet evaluation occurs in kernel mode and in 
kernel memory, rather than after packets arrive at the appli- 
cation layer, performance of the system is higher than known 
packet filtering systems. In addition, since the native NT 
protocol stack is not affected, local programs can run using 
the native NT protocol stack, circumventing all the security 
checks. This prevents such local programs from suffering 15 
performance degradation. 

In the foregoing specification, the invention has been 
described with reference to specific embodiments thereof. It 
will, however, be evident that various modifications and 
changes may be made thereto without- departing from the 
broader spirit and scope of the invention. The specification 
and drawings are, accordingly, to be regarded in an illus- 
trative rather than a restrictive sense. 

What is claimed is: 

1. A system for evaluating a data packet using a network 
operating system, comprising: 

a protocol layer proxy stored in a kernel memory and 
executed in a kernel mode of said network operating 
system; and 

a sequence of instructions stored in said kemel memory 
and executed in the kemel mode configured to cause a 
processor under control of said network operating 
system to execute the steps of: 

evaluating said data packet in said protocol layer proxy in 35 
the kernel mode to determine whether said data packet 
satisfies a predetermined condition; and 

passing said data packet from said protocol layer proxy to 
a protocol stack that is outside the kernel mode of said 
network operating system only if said data packet 49 
satisfies said predetermined condition. 

2. The system recited in claim 1, further comprising an 
initial security policy defining said condition of said data 
packet to be evaluated and coupled to said protocol layer 
proxy. 45 

3. The system recited in claim 2, further comprising: 

a second security policy defining a second condition of an 
application protocol of said data packet to be evaluated; 
and 

wherein said sequence of instructions further comprises 50 
instructions configured to cause said processor to 
execute the step of passing said data packet to said 
network operating system only if said data packet 
complies with said second security policy. 

4. The system of claim 1, further comprising a second 55 
protocol layer proxy for evaluating different data of a second 
protocol different from a first protocol evaluated by said 
protocol layer proxy at the same time as said protocol layer 
proxy, and wherein said protocol layer proxy and said 
second protocol layer proxy are contained in a protocol 60 
proxy stack coupled to said network operating system, 

5. The system of claim 1, wherein said protocol layer 
proxy is configured to evaluate a UDP protocol element of 
the data packet. 

6. ITie system of claim 1, wherein the protocol layer proxy 65 
is configured to evaluate an Internet Control Messaging 
Protocol (ICMP) protocol element of the data packet. 



7. A system for evaluating a data packet using a network 
operating system, comprising: 

a protocol layer proxy in a kemel memory of said network 
operating system; and 

a sequence of instructions stored in said kemel memory 
configured to cause a processor under control of said 
network operating system to execute the steps of: 

evaluating said data packet in said protocol layer proxy to 
determine whether said data packet satisfies a prede- 
termined condition; 

passing said data packet from said protocol layer proxy to 
said network operating system only if said data packet 
satisfies said predetermined condition; 

an initial security policy defining said condition of said 
data packet to be evaluated and coupled to said protocol 
layer proxy; 

a security policy decision tree in said kernel memory 
structured as a binary tree and comprising as nodes 
thereof said security policy and at least a second 
security policy. 

8. The system recited in claim 7, further comprising at 
least one existing session identifier stored in said kernel 
memory; and wherein said sequence of instructions further 
comprises instmctions configured to cause said processor to 
execute the step of: 

passing said data packet to said protocol layer proxy only 
if said data packet matches an existing session identi- 
fier. 

9. A system for evaluating a data packet using a network 
operating system comprising: 

a protocol layer proxy in a kernel memory of said network 
operating system; and 

a sequence of instructions stored in said kernel memory 
configured , to cause a processor under control of said 
network operating system to execute the steps of: 

evaluating said data packet in said protocol layer proxy to 
determine whether said data packet satisfies a prede- 
termined condition; 

passing said data packet from said protocol layer proxy to 
said network operating system only if said data packet 
satisfies said predetermined condition; 

an initial security policy defining said condition of said 
data packet to be evaluated and coupled to said protocol 
layer proxy; 

a network adapter card coupled to said processor; and 
a security policy decision tree in said kernel memory 
organized as a binary tree and comprising said security 
policy and a second security policy associated with said 
network adapter card. 

10. The system recited in claim 9, wherein said security 
policy decision tree comprises a session identifier avSsociated 
with a network adapter card identifier and with an allowed 
protocol for said session identifier and said network adapter 
card; and 

wherein said sequence of instructions further comprises 
instructions configured to cause said processor to 
execute the step of passing said data packet to said 
protocol layer proxy only if said data packet matches 
said session identifier. 

11. The system of claim 10, wherein said sequence of 
instructions further comprises instructions configured to 
cause said processor to execute the step of passing said data 
packet to said protocol layer proxy only if said data packet 
matches said allowed protocol. 
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12. The system of claim 11, further comprising: 

a state variable stored in said protocol layer proxy 
describing a current state of a current network session. 

13. The system of claim 10, further comprising: 

a second protocol layer proxy associated with said session ^ 
identifier; and 

wherein said sequence of instructions further comprises 
instructions configured to cause said processor to 
execute the step of passing said data packet to said 
second protocol layer proxy for evaluation therein. 

14. The system of claim 9 wherein said protocol layer 
proxy is coupled to a protocol stack of said network oper- 
ating system and wherein one of said security policies 
defines an acceptable criteria for data packets directed to 
said protocol stack. 

15. A system for evaluating a data packet using a network 
operating system, comprising: 

a protocol layer proxy in a kernel memory of said network 

operating system, and 
a sequence of instructions stored in said kernel memory 

configured to cause a processor under control of said 

network operating system to execute the steps of: 
evaluating said data packet in said protocol layer proxy to 

determine whether said data packet satisfies a prede- 25 

termined condition; 
passing said data packet from said protocol layer proxy to 

said network operating system only if said data packet 

satisfies said predetermined condition; 
wherein said sequence of instructions further comprises 30 

instructions configured to cause said processor to 

execute the step of identifying said protocol layer proxy 

as a device driver to said network operating system. 

16. A system for evaluating a data packet using a network 
operating system, comprising: ■ 35 

a protocol layer proxy in a kernel memory of said network 
operating system; and 

a sequence of instructions stored in said kernel memory 
configured to cause a processor under control of said 
network operating system to execute the steps of: 

evaluating said data packet in said protocol layer proxy to 
determine whether said data packet satisfies a prede- 
termined condition; 

passing said data packet from said protocol layer proxy to 
said network operating system only if said data packet 
satisfies said predetermined condition; 

wherein said sequence of instructions further comprises 
instructions configured to cause said processor to 
execute the step of instructing said network operating 
system that said protocol layer proxy is a network 
device. 

17. A system for evaluating a data packet using a network 
operating system, comprising; 

a protocol layer proxy in a kernel memory of said network 
operating system; and 

a sequence of instructions stored in said kernel memory 
configured to cause a processor under control of said 
network operating system to execute the steps of: 

evaluating said data packet in said protocol layer proxy to 50 
determine whether said data packet satisfies a prede- 
termined condition; 

passing said data packet from said protocol layer proxy to 
said network operating system only if said data packet 
satisfies said predetermined condition; 55 

wherein said sequence of instructions further comprises 
instructions configured to cause said processor to 
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execute the step of instructing a device driver coupled 
to said network operating system that said protocol 
layer proxy is a transport layer for said device driver, 

18. A system for evaluating data that arrives at a computer 
system that is executing a network operating system, com- 
prising: 

a protocol stack proxy stored in a kernel memory and 
executed in a kernel mode of the network operating 
system and coupled between (a) a device driver on said 
computer system that is configured to receive said data 
from a network and deliver said data according to a first 
protocol associated with a first network layer and (b) a 
component of said network operating system that 
receives packets according to said first protocol; 

said protocol stack proxy including a proxy layer config- 
ured to 

(i) receive said data from said device driver; 
. (ii) pass said data to a second network layer that is higher 
than said first network layer; and 

(iii) evaluate said data to determine whether said data 
satisfies a predetermined criteria, and if so, pass said 
data to a protocol stack of the network operating system 
that is executed outside the kernel mode. 

19. The system recited in claim 18, wherein said proxy 
layer is configured to test whether said data satisfies said 
predetermined criteria, and if so, then to pass said data lo 
said first network layer and transmit said data to said 
component of said network operating system. 

20. A system for evaluating data that arrives at a computer 
system that is executing a network operating system, com- 
prising: 

a protocol stack proxy coupled between (a) a device 
driver on said computer system that is configured to 
receive said data from a network and deliver said data 
according to a first protocol associated with a first 
network layer and (b) a component of said network 
operating system that receives packets according to 
said first protocol; 

said protocol stack proxy including a proxy layer config- 
ured to 

(i) receive said data from said device driver; 

(ii) pass said data to a second network layer that is higher 
than said first network layer; and 

(iii) evaluate said data to determine whether said data 
satisfies a predetermined criteria; 

an application layer proxy in an application memory of 

said computer system; 
a first security poficy coupled to said protocol stack proxy 

and defining said criteria; 
a second security policy defining a second condition of an 

application protocol of said data to be evaluated; and 
wherein said protocol stack proxy is configured to pass 

said data to said application layer proxy only if said 

data complies with said second security policy. 

21. A system for evaluating data that arrives at a computer 
system that is executing a network operating system, com- 
prising: 

a protocol stack proxy coupled between (a) a device 
driver on said computer system that is configured to 
receive said data from a network and deliver said data 
according to a first protocol associated with a first 
network layer and (b) a component of said network 
operating system that receives packets according to 
said first protocol; 
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said protocol stack proxy including a proxy layer config- 
ured to 

(i) receive said data from said device driver; 

(ii) pass said data to a second network layer that is higher 
than said first network layer; and ^ 

(iii) evaluate said data to determine whether said data 
satisfies a predetermined criteria; 

a security policy decision tree in a kernel memory of said 
computer system and structured as a binary tree and 
comprising as nodes thereof said security policy and at 
least a second security policy. 

22. The system recited in claim 21, further comprising at 
least one existing session identifier stored in said kernel 
memory; and wherein said protocol stack proxy is config- 
ured to pass said data to said proxy layer only if said data 
matches an existing session identifier. 

23. The system recited in claim 21, further comprising 

a network adapter card in said computer system and 
coupled to said protocol stack proxy; and 20 

wherein the security policy decision tree comprises a first 
security policy and a second security policy associated 
with said network adapter card. 

24. The system recited in claim 23, wherein said security 
policy decision tree comprises a session identifier associated 25 
with a network adapter card identifier and with an allowed 
protocol for said session identifier and said network adapter 
card; and 

wherein said protocol stack proxy is configured to cause 
said protocol stack proxy to pass said data to said proxy 30 
layer only if said data matches said session identifier. 

25. The system of claim 24, wherein said protocol stack 
proxy is configured to pass said data to said protocol layer 
proxy only if said data matches said allowed protocol. 

26. The system of claim 25, fiirther comprising: 35 
a second proxy layer associated with said session identi- 
fier; and 

wherein protocol stack proxy is configured to cause said 
processor to pass said data to said second proxy layer 
for evaluation therein. 

27. The system of claim 26, further comprising: 
a state variable stored in said protocol layer proxy and 

describing a current state of a current network session. 

28. A system for evaluating data that arrives at a computer 
system that is executing a network operating system com- 
prising: 

a protocol stack proxy coupled between (a) a device 
driver on said computer system that is configured to 
receive said data from a network and deliver said data 
according to a first protocol associated with a first 
network layer and (b) a component of said network 
operating system that receives packets according to 
said first protocol; 

said protocol stack proxy including a proxy layer config- 
ured to 

(i) receive said data from said device driver; 

(ii) pass said data to a second network layer that is higher 
than said first network layer; and 

(iii) evaluate said data to determine whether said data 60 
satisfies a predetermined criteria; 

wherein said protocol stack proxy is configured to identify 
said proxy layer as said device driver to said network 
operating system. 

29. A method for evaluating data that arrives at a com- 6S 
puter system that is executing a network operating system, 
comprising the steps of: 
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establishing in a kernel memory of said computer system 
a protocol stack proxy that is executed in kernel mode 
of the network operating system and that is coupled 
between (a) a device driver on said computer system 
that is configured to receive said data from a network 
and deliver said data according to a first protocol 
associated with a first network layer and (b) a compo- 
nent of said network operating system that receives 
packets according to said first protocol; 

with a proxy layer in said protocol stack proxy, receiving 
said data from said device driver; 

passing said data to a second network layer that is higher 
than said first network layer; 

determining whether said data satisfies a predetermined 
criteria; 

passing said data to a protocol stack of the network 
operating system that is executed outside the kernel 
mode when the data satisfies the predetermined criteria. 

30. The method recited in claim 29, wherein said com- 
puter system comprises a plurality of device drivers and said 
protocol stack proxy comprises a plurality of proxy layers, 
each proxy layer associated with one of said device drivers, 
and wherein the method further comprises the steps of, in 
each of said proxy layers: 

receiving said data from each of said device drivers; 
passing said data to said second network layer; and 
evaluating said data to determine whether said data sat- 
isfies said predetermined criteria. 

31. The method recited in claim 29, wherein said com- 
puter system further comprises a security policy in said 
memory and coupled to said protocol stack proxy and 
defining said criteria. 

32. A method for evaluating data that arrives at a com- 
puter system that is executing a network operating system, 
comprising the steps of: 

establishing in a memory of said computer system a 
protocol stack proxy coupled between (a) a device 
driver on said computer system that is configured to 
receive said data from a network and dehver said data 
according to a first protocol associated with a first 
network layer and (b) a component of said network 
operating system that receives packets according to 
said first protocol; 

with a proxy layer in said protocol stack proxy, receiving 
said data from said device driver; 

passing said data to a second network layer that is higher 
than said first network layer; 

evaluating said data to determine whether said data sat- 
isfies a predetermined criteria; 

wherein said computer system further comprises a secu- 
rity policy in said memory and coupled to said protocol 
stack proxy and defining said criteria; 

establishing an application layer proxy in an application 
memory of said computer system coupled to said 
protocol stack proxy; 

establishing a second security policy in said memory 
defining a second condition of an application protocol 
of said data to be evaluated; and 

passing said data to said application layer proxy only if 
said data complies with said second security policy. 

33. A method for evaluating data that arrives at a com- 
puter system that is executing a network operating system, 
comprising the steps of: 

establishing in a memory of said computer system a 
protocol stack proxy coupled between (a) a device 
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driver on said computer system that is configured to 
receive said data from a network and deliver said data 
according to a first protocol associated with a first 
network layer and (b) a component of said network 
operating system that receives packets according to 5 
said first protocol; 

with a proxy layer in said protocol stack proxy, receiving 
said data from said device driver; 

passing said data to a second network layer that is higher 
than said first network layer; 10 

evaluating said data to determine whether said data sat- 
isfies a predetermined criteria; 

wherein said computer system further comprises a secu- 
rity policy in said memory and coupled to said protocol 
stack proxy and defining said criteria; 15 

establishing a security policy decision tree in a kernel 
memory of said computer system structured as a binary 
tree and comprising as nodes thereof said security 
policy and at least a second security policy. 

34. The method recited in claim 33, further comprising the 20 
steps of: 

establishing at least one existing session identifier stored 

in said kernel memory; and 
passing said data to said proxy layer only if said data 

matches an existing session identifier. 

35. The method recited in claim 33, wherein said com- 
puter system further comprises a network adapter card in 
said computer system and coupled to said protocol stack 
proxy; and wherein said method further comprises the step 
of: 

establishing the security policy decision tree comprising a 
first security policy and a second security policy asso- 
ciated with said network adapter card. 

36. The method recited in claim 35, wherein the step of 
estabhshing said security policy decision tree includes the 
steps of: 

establishing in said seairity policy decision tree a session 
identifier associated whh a network adapter card iden- 
tifier and with an allowed protocol for said session 
identifier and said network adapter card; and 

passing said data to said proxy layer only if said data 
matches said session identifier. 

37. The method of claim 36, wherein said protocol stack 
proxy is configured to pass said data to said proxy layer only 45 
if said data matches said allowed protocol. 

38. The method of claim 37, further comprising the steps 

of: 

establishing in said memory a second proxy layer asso- 
ciated with said session identifier; and 50 

evaluating said data in said second proxy layer to deter- 
mine whether said data conforms to a second protocol 
associated with said second proxy layer. 

39. The method of claim 38, further comprising the step 

of estabhshing a state variable stored in said proxy layer and 55 
describing a current state of a current network session. 

40. A method for evaluating data that arrives at a com- 
puter system that is executing a network operating system, 
comprising the steps of: 

establishing in a memory of said computer system a 60 
protocol stack proxy coupled between (a) a device 
driver on said computer system that is configured to 
receive said data from a network and dehver said data 
according to a first protocol associated with a first 
network layer and (b) a component of said network 65 
operating system that receives packets according to 
said first protocol; 
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with a proxy layer in said protocol stack proxy receiving 
said data from said device driver; 

passing said data to a second network layer that is higher 
than said first network layer; 

evaluating said data to detenmine whether said data sat- 
isfies a predetermined criteria; 

further comprising the step of communicating from said 
protocol stack proxy to said network operating system 
an identification that said proxy layer is said device 
driver. 

41. A system for evaluating data that arrives at a computer 
system that is executing a network operating system, com- 
prising: 

a protocol stack proxy coupled between a device driver on 
the computer system that is executed in kernel mode of 
the network operating system and configured to receive 
the data from a network and deHver the data according 
to a first protocol associated with a first network layer; 
and 

one or more components of the network operating 
system that receive packets according to the first 
protocol; 

the protocol stack proxy including one or more protocol 
proxy layers, each proxy layer associated with one of 
the network layers, configured to: (A) receive the data 
from the device driver; (B) pass the data to a proxy 
layer associated with a second network layer that is 
higher than the first network layer; (C) evaluate the data 
to determine whether the data satisfies a predetermined 
criteria; and (D) if the data satisfies the predetermined 
crheria, to (Dl) pass the data to the proxy layer 
associated with the first network layer, and (D2) trans- 
mit the data to the one or more components to the 
network operating system. 

42. A system for evaluating a data packet using a network 
operating system, comprising: 

an application layer proxy in an application memory of 

said network operating system; 
a protocol layer proxy stored in a kernel memory and 

executed in a kernel mode of said network operating 

system, and coupled to the application layer proxy; and 
a sequence of instmctions stored in said kernel memory 

and executed in the kernel mode configured to cause a 

processor under control of said network operating 

system to execute the steps of: 
evaluating said data packet in said protocol layer proxy in 

the kernel mode to determine whether said data packet 

satisfies a predetermined condition; 
passing said data packet from said protocol layer proxy to 

a protocol stack that is outside the kernel mode of said 

network operating system only if said data packet 

satisfies said predetermined condition; 
passing the data packet to the application layer proxy 

when information in the data packet includes a request 

for an application layer service. 

43. A computer-readable medium carrying one or more 
sequences of instructions for evaluating data that arrives at 
a computer system that is executing a network operating 
system, wherein execution of the one or more sequences of 
instructions by one or more processors causes the one or 
more processors to perform the steps of: 

establishing in a kernel memory of said computer system 
a protocol stack proxy that is executed in kernel mode 
of the network operating system and that is coupled 
between (a) a device driver on said computer system 
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that is configured to receive said data from a network 
and deliver said data according to a first protocol 
associated with a first network layer and (b) a compo- 
nent of said network operating system that receives 
packets according to said first protocol; 5 

with a proxy layer in said protocol stack proxy, receiving 
said data from said device driver; 

passing said data to a second network layer that is higher 
than said first network layer; 

determining whether said data satisfies a predetermined 
criteria; 

passing said data to a protocol stack of the network 
operating system that is executed outside the kernel 
mode when the data satisfies the predetermined criteria. 15 

44. A computer-readable medium as recited in claim 43, 
wherein the step of establishing in a kernel memory of said 
computer system a protocol stack proxy includes the steps of 
establishing in a kernel memory of said computer system a 
protocol stack proxy that comprises a plurality of device 20 
drivers and a plurality of proxy layers, each proxy layer 
associated with one of said device drivers, and wherein 
execution of the one or more sequences of instructions by 
one or more processors causes the one or more processors to 
perform the further steps of, in each of said proxy layers: 25 

receiving said data from each of said device drivers; 
passing said data to said second network layer; and 
evaluating said data to determine whether said data sat- 
isfies said predetermined criteria. 

45. The computer-readable medium as recited in claim 43, 
wherein execution of the one or more sequences of instruc- 
tions by one or more processors causes the one or more 
processors to perform the further steps of: 

establishing an application layer proxy in an appHcation 
memory of said computer system coupled to said 
protocol stack proxy; 

establishing a second security policy in said memory 
defining a second condition of an apphcation protocol 
of said data to be evaluated; and 40 

passing said data to said application layer proxy only if 
said data complies with said second security policy. 

46. The computer-readable medium as recited in claim 43, 
wherein execution of the one or more sequences of instruc- 



tions by one or more processors causes the one or more 

processors to perform the further steps of: 

establishing a security pohcy decision tree in a kernel 
memory of said computer system structured as a binary 
tree and comprising as nodes thereof said security 
policy and at least a second security policy. 

47. The computer-readable medium as recited in claim 46, 
wherein execution of the one or more sequences of instruc- 
tions by one or more processors causes the one or more 
processors to perform the further steps of: 

establishing in said security policy decision tree a session 
identifier associated with a network adapter card iden- 
tifier and with an allowed protocol for said session 
identifier and said network adapter card; and 

passing said data to said proxy layer only if said data 
matches said session identifier. 

48. The computer-readable medium as recited in claim 43, 
wherein execution of the one or more sequences of instruc- 
tions by one or more processors causes the one or more 
processors to perform the further steps of: 

establishing at least one existing session identifier stored 

in said kernel memory; and 
passing said data to said proxy layer only if said data 

matches an existing session identifier. 

49. The computer-readable medium as recited in claim 43, 
wherein execution of the one or more sequences of instruc- 
tions by one or more processors causes the one or more 
processors to perform the further steps of: 

establishing the security policy decision tree in a kernel 
memory of said computer system organized as a binary 
tree and comprising a first security policy and a second 
security poUcy associated with a network adapter card 
in said computer system and coupled to said protocol 
stack proxy. 

50. The computer-readable medium as recited in claim 43, 
wherein execution of the one or more sequences of instruc- 
tions by one or more processors causes the one or more 
processors to perform the further steps of: 

communicating from said protocol stack proxy to said 
network operating system an identification that said 
proxy layer is said device driver. 
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